Merge "Fix CryptoPlugin use after free vulnerability." into sc-dev

2026-02-01 16:23:37 +00:00 · 2021-04-05 20:47:48 +00:00
parent 46816afaf6 989975ec5a
commit 9cb545e6a0
3 changed files with 29 additions and 17 deletions
--- a/drm/1.0/default/Android.bp
+++ b/drm/1.0/default/Android.bp
@@ -32,6 +32,7 @@ cc_library_static {
        "-Werror",
        "-Wextra",
        "-Wall",
+        "-Wthread-safety",
    ],
    shared_libs: [
        "liblog",
@@ -42,7 +43,7 @@ cc_library_static {
    export_header_lib_headers: [
        "libutils_headers",
    ],
-    export_include_dirs : ["include"]
+    export_include_dirs: ["include"],
 }

 soong_config_module_type {
@@ -59,8 +60,8 @@ android_hardware_drm_1_0_multilib {
    soong_config_variables: {
        TARGET_ENABLE_MEDIADRM_64: {
            compile_multilib: "both",
-        }
-    }
+        },
+    },
 }

 android_hardware_drm_1_0_multilib {
@@ -69,8 +70,8 @@ android_hardware_drm_1_0_multilib {
    soong_config_variables: {
        TARGET_ENABLE_MEDIADRM_64: {
            compile_multilib: "first",
-        }
-    }
+        },
+    },
 }

 cc_defaults {
@@ -98,7 +99,7 @@ cc_binary {
    name: "android.hardware.drm@1.0-service",
    defaults: [
        "android.hardware.drm@1.0-multilib-exe",
-        "android.hardware.drm@1.0-service-defaults"
+        "android.hardware.drm@1.0-service-defaults",
    ],
    init_rc: ["android.hardware.drm@1.0-service.rc"],
    srcs: ["service.cpp"],
@@ -110,7 +111,7 @@ cc_binary {
    name: "android.hardware.drm@1.0-service-lazy",
    defaults: [
        "android.hardware.drm@1.0-multilib-exe",
-        "android.hardware.drm@1.0-service-defaults"
+        "android.hardware.drm@1.0-service-defaults",
    ],
    overrides: ["android.hardware.drm@1.0-service"],
    init_rc: ["android.hardware.drm@1.0-service-lazy.rc"],
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -53,6 +53,8 @@ namespace implementation {
            uint32_t bufferId) {
        sp<IMemory> hidlMemory = mapMemory(base);

+        std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
        // allow mapMemory to return nullptr
        mSharedBufferMap[bufferId] = hidlMemory;
        return Void();
@@ -65,7 +67,7 @@ namespace implementation {
            const SharedBuffer& source, uint64_t offset,
            const DestinationBuffer& destination,
            decrypt_cb _hidl_cb) {
-
+        std::unique_lock<std::mutex> shared_buffer_lock(mSharedBufferLock);
        if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
            _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "source decrypt buffer base not set");
            return Void();
@@ -79,7 +81,7 @@ namespace implementation {
            }
        }

-        android::CryptoPlugin::Mode legacyMode;
+        android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;
        switch(mode) {
        case Mode::UNENCRYPTED:
            legacyMode = android::CryptoPlugin::kMode_Unencrypted;
@@ -170,6 +172,10 @@ namespace implementation {
            _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type");
            return Void();
        }
+
+        // release mSharedBufferLock
+        shared_buffer_lock.unlock();
+
        ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(),
                legacyMode, legacyPattern, srcPtr, legacySubSamples.get(),
                subSamples.size(), destPtr, &detailMessage);
--- a/drm/1.0/default/CryptoPlugin.h
+++ b/drm/1.0/default/CryptoPlugin.h
@@ -17,11 +17,14 @@
 #ifndef ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H
 #define ANDROID_HARDWARE_DRM_V1_0__CRYPTOPLUGIN_H

-#include <android/hidl/memory/1.0/IMemory.h>
+#include <android-base/thread_annotations.h>
 #include <android/hardware/drm/1.0/ICryptoPlugin.h>
+#include <android/hidl/memory/1.0/IMemory.h>
 #include <hidl/Status.h>
 #include <media/hardware/CryptoAPI.h>

+#include <mutex>
+
 namespace android {
 namespace hardware {
 namespace drm {
@@ -60,19 +63,21 @@ struct CryptoPlugin : public ICryptoPlugin {
    Return<void> setSharedBufferBase(const ::android::hardware::hidl_memory& base,
        uint32_t bufferId) override;

-    Return<void> decrypt(bool secure, const hidl_array<uint8_t, 16>& keyId,
-            const hidl_array<uint8_t, 16>& iv, Mode mode, const Pattern& pattern,
-            const hidl_vec<SubSample>& subSamples, const SharedBuffer& source,
-            uint64_t offset, const DestinationBuffer& destination,
-            decrypt_cb _hidl_cb) override;
+    Return<void> decrypt(
+            bool secure, const hidl_array<uint8_t, 16>& keyId, const hidl_array<uint8_t, 16>& iv,
+            Mode mode, const Pattern& pattern, const hidl_vec<SubSample>& subSamples,
+            const SharedBuffer& source, uint64_t offset, const DestinationBuffer& destination,
+            decrypt_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS;  // use unique_lock

-private:
+  private:
    android::CryptoPlugin *mLegacyPlugin;
-    std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
+    std::map<uint32_t, sp<IMemory>> mSharedBufferMap GUARDED_BY(mSharedBufferLock);

    CryptoPlugin() = delete;
    CryptoPlugin(const CryptoPlugin &) = delete;
    void operator=(const CryptoPlugin &) = delete;
+
+    std::mutex mSharedBufferLock;
 };

 }  // namespace implementation